mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-30 19:11:09 +02:00
Code Issues Projects Releases Wiki Activity

initial commit for nonAssignablePolicies

Browse Source
This commit is contained in:
Laura Bennett 2016-07-24 22:27:41 -04:00
parent 5a454e1afa
commit 4235173d78
2 changed files with 32 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
vault/policy_store.go
View File

@ -36,6 +36,9 @@ var (
"root", "root",
cubbyholeResponseWrappingPolicyName, cubbyholeResponseWrappingPolicyName,
} }
nonAssignablePolicies = []string{
cubbyholeResponseWrappingPolicyName,
}
) )
// PolicyStore is used to provide durable storage of policy, and to // PolicyStore is used to provide durable storage of policy, and to
@ -89,7 +92,7 @@ func (c *Core) setupPolicyStore() error {
// Ensure that the cubbyhole response wrapping policy exists // Ensure that the cubbyhole response wrapping policy exists
policy, err = c.policyStore.GetPolicy(cubbyholeResponseWrappingPolicyName) policy, err = c.policyStore.GetPolicy(cubbyholeResponseWrappingPolicyName)
if err != nil { if err != nil {
return errwrap.Wrapf("error fetching default policy from store: {{err}}", err) return errwrap.Wrapf("error fetching cubbyhole response wrapping policy from store: {{err}}", err)
} }
if policy == nil || policy.Raw != cubbyholeResponseWrappingPolicy { if policy == nil || policy.Raw != cubbyholeResponseWrappingPolicy {
err := c.policyStore.createCubbyholeResponseWrappingPolicy() err := c.policyStore.createCubbyholeResponseWrappingPolicy()
@ -114,7 +117,7 @@ func (ps *PolicyStore) SetPolicy(p *Policy) error {
if p.Name == "" { if p.Name == "" {
return fmt.Errorf("policy name missing") return fmt.Errorf("policy name missing")
} }
if strutil.StrListContains(immutablePolicies, p.Name) { if strutil.StrListContains(immutablePolicies, p.Name) || strutil.StrListContains(nonAssignablePolicies, p.Name) {
return fmt.Errorf("cannot update %s policy", p.Name) return fmt.Errorf("cannot update %s policy", p.Name)
} }
@ -210,13 +213,31 @@ func (ps *PolicyStore) ListPolicies() ([]string, error) {
defer metrics.MeasureSince([]string{"policy", "list_policies"}, time.Now()) defer metrics.MeasureSince([]string{"policy", "list_policies"}, time.Now())
// Scan the view, since the policy names are the same as the // Scan the view, since the policy names are the same as the
// key names. // key names.
return CollectKeys(ps.view) keys, err = CollectKeys(ps.view)
for _, nonAssignable := range nonAssignablePolicies {
deleteIndex := -1
//Find indices of non-assignable policies in keys
for index, key := range keys {
if key == nonAssignable {
// Delete collection outside the loop
deleteIndex = index
break
}
}
// Remove non-assignable policies when found
if deleteIndex != -1 {
keys = append(keys[:deleteIndex], keys[deleteIndex+1:]...)
}
}
return keys, err
} }
// DeletePolicy is used to delete the named policy // DeletePolicy is used to delete the named policy
func (ps *PolicyStore) DeletePolicy(name string) error { func (ps *PolicyStore) DeletePolicy(name string) error {
defer metrics.MeasureSince([]string{"policy", "delete_policy"}, time.Now()) defer metrics.MeasureSince([]string{"policy", "delete_policy"}, time.Now())
if strutil.StrListContains(immutablePolicies, name) { if strutil.StrListContains(immutablePolicies, name) || strutil.StrListContains(nonAssignablePolicies, name) {
return fmt.Errorf("cannot delete %s policy", name) return fmt.Errorf("cannot delete %s policy", name)
} }
if name == "default" { if name == "default" {

7
vault/token_store.go
View File

@ -1193,6 +1193,13 @@ func (ts *TokenStore) handleCreateCommon(
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
} }
// Prevent internasl policies from being assigned to tokens
for _, policy := range te.Policies {
if strutil.StrListContains(nonAssignablePolicies, policy) {
return logical.ErrorResponse(fmt.Sprintf("cannot assign %s policy", policy)), nil
}
}
// Generate the response // Generate the response
resp.Auth = &logical.Auth{ resp.Auth = &logical.Auth{
DisplayName: te.DisplayName, DisplayName: te.DisplayName,